10:02:15pep.Curious to know if there's anything you can do to prevent messages leaking once a terminal is compromised :x (as long as it's not known to be)

10:04:28dwdpep., It's more that if you think a device might be compromised, with OMEMO/Signal/etc the device has a cleartext archive, whereas without it won't and you can cut access to the server-side archive.

10:09:48dwdpep., So not much point in considering that case. Instead, consider the cases where endpoint compromise is known.

10:11:09dwdpep., And decide which you think is the greater risk - for some, that'll be the server being compromised, for others, the client. Which you feel is the bigger risk means you might want OMEMO-style encryption or not.

10:11:28pep.Sure there's a point in considering it as well. It's certainly a lot easier to get a hold of a user terminal when that user is targetted. When the user is not targetted directly and people are just interested in data, it's probably faster to try and compromise the server and I bet there's lots of servers not that good security-wise

10:12:13dwdpep., Right, but for a foreign intel agency, I would suspect the risk of a compromised client is probably higher.

10:13:05dwdpep., Same for us, actually. I believe the risk of a community nurse leaving their phone in a patient's house is higher than someone breaking into our servers.

14:07:40AlexReminder that the current application period ends by the end of this week. In case you want to appy, recruit someone to apply, or need to reapply:
https://wiki.xmpp.org/web/Membership_Applications_Q1_2020
Thanks

15:28:12moparisthebestI get people have opinions re: DKIM/SPF/DMARC but that's not really relevant, they are a thing most email providers implement, and if we want most people to be able to recieve mail to the list, it has to be fixed

15:28:24jonas’moparisthebest, yeah, help me get hands on a mailman admin

16:26:11Ellenor Malik> dwd has written:
> edhelas, In particular, BND presumably do trust their server, and probably more than the mobile devices used in the field.
Trusting the server does not seem like a viable threat model ever